xmltooling/security/impl/FilesystemCredentialResolver.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * FilesystemCredentialResolver.cpp
  19  *
  20  * Supplies credentials from local files
  21  */
  22
  23 #include "internal.h"
  24 #include "security/KeyResolver.h"
  25 #include "security/OpenSSLCredentialResolver.h"
  26 #include "util/NDC.h"
  27 #include "util/XMLHelper.h"
  28
  29 #include <sys/types.h>
  30 #include <sys/stat.h>
  31 #include <algorithm>
  32 #include <openssl/pkcs12.h>
  33 #include <log4cpp/Category.hh>
  34 #include <xercesc/util/XMLUniDefs.hpp>
  35 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
  36 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
  37 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
  38
  39 using namespace xmlsignature;
  40 using namespace xmltooling;
  41 using namespace log4cpp;
  42 using namespace std;
  43
  44 // OpenSSL password callback...
  45 static int passwd_callback(char* buf, int len, int verify, void* passwd)
  46 {
  47     if(!verify)
  48     {
  49         if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
  50         {
  51             strcpy(buf,reinterpret_cast<char*>(passwd));
  52             return strlen(buf);
  53         }
  54     }
  55     return 0;
  56 }
  57
  58 namespace xmltooling {
  59     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver : public OpenSSLCredentialResolver, public KeyResolver
  60     {
  61     public:
  62         FilesystemCredentialResolver(const DOMElement* e);
  63         virtual ~FilesystemCredentialResolver();
  64
  65         Lockable* lock() { return this; }
  66         void unlock() {}
  67
  68         XSECCryptoKey* loadKey();
  69
  70         XSECCryptoKey* getKey(const KeyInfo* keyInfo=NULL) const { return m_key ? m_key->clone() : NULL; }
  71         const vector<XSECCryptoX509*>& getCertificates() const { return m_xseccerts; }
  72         void attach(SSL_CTX* ctx) const;
  73
  74         XSECCryptoKey* resolveKey(const KeyInfo* keyInfo) const { return m_key ? m_key->clone() : NULL; }
  75         XSECCryptoKey* resolveKey(DSIGKeyInfoList* keyInfo) const { return m_key ? m_key->clone() : NULL; }
  76         vector<XSECCryptoX509*>::size_type resolveCertificates(const KeyInfo* keyInfo, ResolvedCertificates& certs) const {
  77             accessCertificates(certs).assign(m_xseccerts.begin(), m_xseccerts.end());
  78             accessOwned(certs) = false;
  79             return accessCertificates(certs).size();
  80         }
  81         vector<XSECCryptoX509*>::size_type resolveCertificates(DSIGKeyInfoList* keyInfo, ResolvedCertificates& certs) const {
  82             accessCertificates(certs).assign(m_xseccerts.begin(), m_xseccerts.end());
  83             accessOwned(certs) = false;
  84             return accessCertificates(certs).size();
  85         }
  86
  87     private:
  88         enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
  89
  90         format_t getEncodingFormat(BIO* in) const;
  91         string formatToString(format_t format) const;
  92         format_t xmlFormatToFormat(const XMLCh* format_xml) const;
  93
  94         format_t m_keyformat;
  95         string m_keypath,m_keypass;
  96         vector<X509*> m_certs;
  97         vector<XSECCryptoX509*> m_xseccerts;
  98         XSECCryptoKey* m_key;
  99     };
 100
 101     CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)
 102     {
 103         return new FilesystemCredentialResolver(e);
 104     }
 105
 106     KeyResolver* XMLTOOL_DLLLOCAL FilesystemKeyResolverFactory(const DOMElement* const & e)
 107     {
 108         return new FilesystemCredentialResolver(e);
 109     }
 110 };
 111
 112 static const XMLCh CAPath[] =           UNICODE_LITERAL_6(C,A,P,a,t,h);
 113 static const XMLCh Certificate[] =      UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
 114 static const XMLCh format[] =           UNICODE_LITERAL_6(f,o,r,m,a,t);
 115 static const XMLCh Key[] =              UNICODE_LITERAL_3(K,e,y);
 116 static const XMLCh password[] =         UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
 117 static const XMLCh Path[] =             UNICODE_LITERAL_4(P,a,t,h);
 118
 119 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_key(NULL)
 120 {
 121 #ifdef _DEBUG
 122     NDC ndc("FilesystemCredentialResolver");
 123 #endif
 124     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver");
 125
 126     format_t fformat;
 127     const XMLCh* format_xml=NULL;
 128     BIO* in = NULL;
 129
 130     // Move to Key
 131     const DOMElement* root=e;
 132     e=XMLHelper::getFirstChildElement(root,Key);
 133     if (e) {
 134
 135         // Get raw format attrib value, but defer processing til later since may need to
 136         // determine format dynamically, and we need the Path for that.
 137         format_xml=e->getAttributeNS(NULL,format);
 138
 139         const XMLCh* password_xml=e->getAttributeNS(NULL,password);
 140         if (password_xml) {
 141             auto_ptr_char kp(password_xml);
 142             m_keypass=kp.get();
 143         }
 144
 145         e=XMLHelper::getFirstChildElement(e,Path);
 146         if (e && e->hasChildNodes()) {
 147             const XMLCh* s=e->getFirstChild()->getNodeValue();
 148             auto_ptr_char kpath(s);
 149 #ifdef WIN32
 150             struct _stat stat_buf;
 151             if (_stat(kpath.get(), &stat_buf) != 0)
 152 #else
 153             struct stat stat_buf;
 154             if (stat(kpath.get(), &stat_buf) != 0)
 155 #endif
 156             {
 157                 log.error("key file (%s) can't be opened", kpath.get());
 158                 throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,kpath.get()));
 159             }
 160             m_keypath=kpath.get();
 161         }
 162         else {
 163             log.error("Path element missing inside Key element");
 164             throw XMLSecurityException("FilesystemCredentialResolver can't access key file, no Path element specified.");
 165         }
 166
 167         // Determine the key encoding format dynamically, if not explicitly specified
 168         if (format_xml && *format_xml) {
 169             fformat = xmlFormatToFormat(format_xml);
 170             if (fformat != UNKNOWN) {
 171                 m_keyformat = fformat;
 172             }
 173             else {
 174                 auto_ptr_char unknown(format_xml);
 175                 log.error("configuration specifies unknown key encoding format (%s)", unknown.get());
 176                 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown key encoding format ($1)",params(1,unknown.get()));
 177             }
 178         }
 179         else {
 180             in=BIO_new(BIO_s_file_internal());
 181             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 182                 m_keyformat = getEncodingFormat(in);
 183                 log.debug("key encoding format for (%s) dynamically resolved as (%s)", m_keypath.c_str(), formatToString(m_keyformat).c_str());
 184             }
 185             else {
 186                 log.error("key file (%s) can't be read to determine encoding format", m_keypath.c_str());
 187                 throw XMLSecurityException("FilesystemCredentialResolver can't read key file ($1) to determine encoding format",params(1,m_keypath.c_str()));
 188             }
 189             if (in)
 190                 BIO_free(in);
 191             in = NULL;
 192         }
 193
 194         // Load the key.
 195         m_key = loadKey();
 196     }
 197
 198     // Check for Certificate
 199     e=XMLHelper::getFirstChildElement(root,Certificate);
 200     if (!e)
 201         return;
 202     auto_ptr_char certpass(e->getAttributeNS(NULL,password));
 203
 204     DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
 205     if (!ep || !ep->hasChildNodes()) {
 206         log.error("Path element missing inside Certificate element or is empty");
 207         throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");
 208     }
 209
 210     auto_ptr_char certpath(ep->getFirstChild()->getNodeValue());
 211     format_xml=e->getAttributeNS(NULL,format);
 212     if (format_xml && *format_xml) {
 213         fformat = xmlFormatToFormat(format_xml);
 214         if (fformat == UNKNOWN) {
 215             auto_ptr_char unknown(format_xml);
 216             log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());
 217             throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));
 218         }
 219     }
 220
 221     try {
 222         X509* x=NULL;
 223         PKCS12* p12=NULL;
 224         in=BIO_new(BIO_s_file_internal());
 225         if (in && BIO_read_filename(in,certpath.get())>0) {
 226             if (!format_xml || !*format_xml) {
 227                 // Determine the cert encoding format dynamically, if not explicitly specified
 228                 fformat = getEncodingFormat(in);
 229                 log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
 230             }
 231
 232             switch(fformat) {
 233                 case PEM:
 234                     while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
 235                         m_certs.push_back(x);
 236                     break;
 237
 238                 case DER:
 239                     x=d2i_X509_bio(in,NULL);
 240                     if (x)
 241                         m_certs.push_back(x);
 242                     else {
 243                         log_openssl();
 244                         BIO_free(in);
 245                         throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.get()));
 246                     }
 247                     break;
 248
 249                 case _PKCS12:
 250                     p12=d2i_PKCS12_bio(in,NULL);
 251                     if (p12) {
 252                         PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
 253                         PKCS12_free(p12);
 254                     }
 255                     if (x) {
 256                         m_certs.push_back(x);
 257                         x=NULL;
 258                     } else {
 259                         log_openssl();
 260                         BIO_free(in);
 261                         throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.get()));
 262                     }
 263                     break;
 264             } // end switch
 265
 266         } else {
 267             log_openssl();
 268             if (in) {
 269                 BIO_free(in);
 270                 in=NULL;
 271             }
 272             throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.get()));
 273         }
 274         if (in) {
 275             BIO_free(in);
 276             in=NULL;
 277         }
 278
 279         if (m_certs.empty()) {
 280             throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");
 281         }
 282
 283         // Load any extra CA files.
 284         DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
 285         while (extra) {
 286             if (!extra->hasChildNodes()) {
 287                 log.warn("skipping empty CAPath element");
 288                 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
 289                 continue;
 290             }
 291             auto_ptr_char capath(extra->getFirstChild()->getNodeValue());
 292             x=NULL;
 293             p12=NULL;
 294             in=BIO_new(BIO_s_file_internal());
 295             if (in && BIO_read_filename(in,capath.get())>0) {
 296                 if (!format_xml || !*format_xml) {
 297                     // Determine the cert encoding format dynamically, if not explicitly specified
 298                     fformat = getEncodingFormat(in);
 299                     log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
 300                 }
 301
 302                 switch (fformat) {
 303                     case PEM:
 304                         while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
 305                             m_certs.push_back(x);
 306                         break;
 307
 308                     case DER:
 309                         x=d2i_X509_bio(in,NULL);
 310                         if (x)
 311                             m_certs.push_back(x);
 312                         else {
 313                             log_openssl();
 314                             BIO_free(in);
 315                             throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.get()));
 316                         }
 317                         break;
 318
 319                     case _PKCS12:
 320                         p12 = d2i_PKCS12_bio(in, NULL);
 321                         if (p12) {
 322                             PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
 323                             PKCS12_free(p12);
 324                         }
 325                         if (x) {
 326                             m_certs.push_back(x);
 327                             x=NULL;
 328                         }
 329                         else {
 330                             log_openssl();
 331                             BIO_free(in);
 332                             throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.get()));
 333                         }
 334                         break;
 335                 } //end switch
 336
 337                 BIO_free(in);
 338             }
 339             else {
 340                 if (in)
 341                     BIO_free(in);
 342                 log_openssl();
 343                 log.error("CA file (%s) can't be opened", capath.get());
 344                 throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.get()));
 345             }
 346
 347             extra = XMLHelper::getNextSiblingElement(extra,CAPath);
 348         }
 349     }
 350     catch (XMLToolingException&) {
 351         for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
 352             X509_free(*j);
 353         throw;
 354     }
 355
 356     // Reflect certs over to XSEC form.
 357     for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
 358         m_xseccerts.push_back(new OpenSSLCryptoX509(*j));
 359 }
 360
 361 XSECCryptoKey* FilesystemCredentialResolver::loadKey()
 362 {
 363 #ifdef _DEBUG
 364     NDC ndc("loadKey");
 365 #endif
 366
 367     // Get a EVP_PKEY.
 368     EVP_PKEY* pkey=NULL;
 369     BIO* in=BIO_new(BIO_s_file_internal());
 370     if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 371         switch (m_keyformat) {
 372             case PEM:
 373                 pkey=PEM_read_bio_PrivateKey(in, NULL, passwd_callback, const_cast<char*>(m_keypass.c_str()));
 374                 break;
 375
 376             case DER:
 377                 pkey=d2i_PrivateKey_bio(in, NULL);
 378                 break;
 379
 380             default: {
 381                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
 382                 if (p12) {
 383                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
 384                     PKCS12_free(p12);
 385                 }
 386             }
 387         }
 388     }
 389     if (in)
 390         BIO_free(in);
 391
 392     // Now map it to an XSEC wrapper.
 393     if (pkey) {
 394         XSECCryptoKey* ret=NULL;
 395         switch (pkey->type) {
 396             case EVP_PKEY_RSA:
 397                 ret=new OpenSSLCryptoKeyRSA(pkey);
 398                 break;
 399
 400             case EVP_PKEY_DSA:
 401                 ret=new OpenSSLCryptoKeyDSA(pkey);
 402                 break;
 403
 404             default:
 405                 Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver").error("unsupported private key type");
 406         }
 407         EVP_PKEY_free(pkey);
 408         if (ret)
 409             return ret;
 410     }
 411
 412     log_openssl();
 413     throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file.");
 414 }
 415
 416 FilesystemCredentialResolver::~FilesystemCredentialResolver()
 417 {
 418     delete m_key;
 419     for_each(m_certs.begin(),m_certs.end(),X509_free);
 420     for_each(m_xseccerts.begin(),m_xseccerts.end(),xmltooling::cleanup<XSECCryptoX509>());
 421 }
 422
 423 void FilesystemCredentialResolver::attach(SSL_CTX* ctx) const
 424 {
 425 #ifdef _DEBUG
 426     NDC ndc("attach");
 427 #endif
 428
 429     // Attach key.
 430     SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
 431     SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));
 432
 433     int ret=0;
 434     switch (m_keyformat) {
 435         case PEM:
 436             ret=SSL_CTX_use_PrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
 437             break;
 438
 439         case DER:
 440             ret=SSL_CTX_use_RSAPrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
 441             break;
 442
 443         default: {
 444             BIO* in=BIO_new(BIO_s_file_internal());
 445             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 446                 EVP_PKEY* pkey=NULL;
 447                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
 448                 if (p12) {
 449                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
 450                     PKCS12_free(p12);
 451                     if (pkey) {
 452                         ret=SSL_CTX_use_PrivateKey(ctx, pkey);
 453                         EVP_PKEY_free(pkey);
 454                     }
 455                 }
 456             }
 457             if (in)
 458                 BIO_free(in);
 459         }
 460     }
 461
 462     if (ret!=1) {
 463         log_openssl();
 464         throw XMLSecurityException("Unable to attach private key to SSL context.");
 465     }
 466
 467     // Attach certs.
 468     for (vector<X509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++) {
 469         if (i==m_certs.begin()) {
 470             if (SSL_CTX_use_certificate(ctx, *i) != 1) {
 471                 log_openssl();
 472                 throw XMLSecurityException("Unable to attach client certificate to SSL context.");
 473             }
 474         }
 475         else {
 476             // When we add certs, they don't get ref counted, so we need to duplicate them.
 477             X509* dup = X509_dup(*i);
 478             if (SSL_CTX_add_extra_chain_cert(ctx, dup) != 1) {
 479                 X509_free(dup);
 480                 log_openssl();
 481                 throw XMLSecurityException("Unable to attach CA certificate to SSL context.");
 482             }
 483         }
 484     }
 485 }
 486
 487 // Used to determine the encoding format of credentials files
 488 // dynamically. Supports: PEM, DER, PKCS12.
 489 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const
 490 {
 491     PKCS12* p12 = NULL;
 492     format_t format;
 493
 494     const int READSIZE = 1;
 495     char buf[READSIZE];
 496     char b1;
 497     int mark;
 498
 499     try {
 500         if ( (mark = BIO_tell(in)) < 0 )
 501             throw XMLSecurityException("getEncodingFormat: BIO_tell() can't get the file position");
 502         if ( BIO_read(in, buf, READSIZE) <= 0 )
 503             throw XMLSecurityException("getEncodingFormat: BIO_read() can't read from the stream");
 504         if ( BIO_seek(in, mark) < 0 )
 505             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
 506     }
 507     catch (...) {
 508         log_openssl();
 509         throw;
 510     }
 511
 512     b1 = buf[0];
 513
 514     // This is a slight variation of the Java code by Chad La Joie.
 515     //
 516     // Check the first byte of the file.  If it's some kind of
 517     // DER-encoded structure (including PKCS12), it will begin with ASCII 048.
 518     // Otherwise, assume it's PEM.
 519     if (b1 !=  48) {
 520         format = PEM;
 521     } else {
 522         // Here we know it's DER-encoded, now try to parse it as a PKCS12
 523         // ASN.1 structure.  If it fails, must be another kind of DER-encoded
 524         // key/cert structure.  A little inefficient...but it works.
 525         if ( (p12=d2i_PKCS12_bio(in,NULL)) == NULL ) {
 526             format = DER;
 527         } else {
 528             format = _PKCS12;
 529         }
 530         if (p12)
 531             PKCS12_free(p12);
 532         if ( BIO_seek(in, mark) < 0 ) {
 533             log_openssl();
 534             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
 535         }
 536     }
 537
 538     return format;
 539 }
 540
 541 // Convert key/cert format_t types to a human-meaningful string for debug output
 542 string FilesystemCredentialResolver::formatToString(format_t format) const
 543 {
 544     switch(format) {
 545         case PEM:
 546             return "PEM";
 547         case DER:
 548             return "DER";
 549         case _PKCS12:
 550             return "PKCS12";
 551         default:
 552             return "UNKNOWN";
 553     }
 554 }
 555
 556 // Convert key/cert raw XML format attribute (XMLCh[]) to format_t type
 557 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::xmlFormatToFormat(const XMLCh* format_xml) const
 558 {
 559     static const XMLCh cPEM[] = UNICODE_LITERAL_3(P,E,M);
 560     static const XMLCh cDER[] = UNICODE_LITERAL_3(D,E,R);
 561     static const XMLCh cPKCS12[] = { chLatin_P, chLatin_K, chLatin_C, chLatin_S, chDigit_1, chDigit_2, chNull };
 562     format_t format;
 563
 564     if (!XMLString::compareString(format_xml,cPEM))
 565         format=PEM;
 566     else if (!XMLString::compareString(format_xml,cDER))
 567         format=DER;
 568     else if (!XMLString::compareString(format_xml,cPKCS12))
 569         format=_PKCS12;
 570     else
 571         format=UNKNOWN;
 572
 573     return format;
 574 }